Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbe50580ee8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbe50580f80 RCX: 00007fbe4f87e1ea
RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000000
RBP: 0000000020000180 R08: 00007fbe50580f80 R09: 0000000001a404bc
R10: 0000000001a404bc R11: 0000000000000202 R12: 0000000020000100
R13: 00007fbe50580f40 R14: 0000000000000000 R15: 0000000020001880
 </TASK>
------------[ cut here ]------------
kernel BUG at fs/btrfs/extent-tree.c:3252!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 1484 Comm: syz-executor.3 Not tainted 6.5.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
RIP: 0010:btrfs_free_tree_block+0xd19/0xd20 fs/btrfs/extent-tree.c:3252
Code: 44 89 f1 80 e1 07 38 c1 0f 8c 96 f8 ff ff be 08 00 00 00 4c 89 f7 e8 86 ed 5e fe e9 84 f8 ff ff e8 1c 44 37 07 e8 d7 0b 06 fe <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 30 49
RSP: 0018:ffffc900161cf000 EFLAGS: 00010246
RAX: ffffffff8385aca9 RBX: 00000000fffffff4 RCX: 0000000000040000
RDX: ffffc9000af31000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc900161cf150 R08: ffffffff8385a309 R09: 1ffffffff1a840a6
R10: dffffc0000000000 R11: fffffbfff1a840a7 R12: ffff88802ba6d560
R13: dffffc0000000000 R14: 0000000000000001 R15: ffffc900161cf080
FS:  00007fbe505816c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007efd8dcf30f0 CR3: 000000003babb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __btrfs_cow_block+0xe8c/0x1ae0 fs/btrfs/ctree.c:601
 btrfs_cow_block+0x403/0x780 fs/btrfs/ctree.c:712
 btrfs_search_slot+0xbf9/0x2f80 fs/btrfs/ctree.c:2194
 btrfs_update_root+0xf2/0xc80 fs/btrfs/root-tree.c:137
 commit_fs_roots+0x4c2/0x720 fs/btrfs/transaction.c:1450
 btrfs_commit_transaction+0xfcd/0x2ff0 fs/btrfs/transaction.c:2393
 sync_filesystem+0x1c0/0x220 fs/sync.c:66
 btrfs_remount+0x231/0x14a0 fs/btrfs/super.c:1690
 reconfigure_super+0x43e/0x870 fs/super.c:961
 do_remount fs/namespace.c:2882 [inline]
 path_mount+0xc24/0xfa0 fs/namespace.c:3654
 do_mount fs/namespace.c:3675 [inline]
 __do_sys_mount fs/namespace.c:3884 [inline]
 __se_sys_mount+0x2d9/0x3c0 fs/namespace.c:3861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fbe4f87e1ea
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb a6 e8 de 09 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fbe50580ee8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 00007fbe50580f80 RCX: 00007fbe4f87e1ea
RDX: 0000000020000180 RSI: 0000000020000100 RDI: 0000000000000000
RBP: 0000000020000180 R08: 00007fbe50580f80 R09: 0000000001a404bc
R10: 0000000001a404bc R11: 0000000000000202 R12: 0000000020000100
R13: 00007fbe50580f40 R14: 0000000000000000 R15: 0000000020001880
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:btrfs_free_tree_block+0xd19/0xd20 fs/btrfs/extent-tree.c:3252
Code: 44 89 f1 80 e1 07 38 c1 0f 8c 96 f8 ff ff be 08 00 00 00 4c 89 f7 e8 86 ed 5e fe e9 84 f8 ff ff e8 1c 44 37 07 e8 d7 0b 06 fe <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 30 49
RSP: 0018:ffffc900161cf000 EFLAGS: 00010246
RAX: ffffffff8385aca9 RBX: 00000000fffffff4 RCX: 0000000000040000
RDX: ffffc9000af31000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: ffffc900161cf150 R08: ffffffff8385a309 R09: 1ffffffff1a840a6
R10: dffffc0000000000 R11: fffffbfff1a840a7 R12: ffff88802ba6d560
R13: dffffc0000000000 R14: 0000000000000001 R15: ffffc900161cf080
FS:  00007fbe505816c0(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055ee557f4358 CR3: 000000003babb000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0:	d8 64 89 02          	fsubs  0x2(%rcx,%rcx,4)
   4:	48 c7 c0 ff ff ff ff 	mov    $0xffffffffffffffff,%rax
   b:	eb a6                	jmp    0xffffffb3
   d:	e8 de 09 00 00       	call   0x9f0
  12:	66 2e 0f 1f 84 00 00 	cs nopw 0x0(%rax,%rax,1)
  19:	00 00 00
  1c:	0f 1f 40 00          	nopl   0x0(%rax)
  20:	49 89 ca             	mov    %rcx,%r10
  23:	b8 a5 00 00 00       	mov    $0xa5,%eax
  28:	0f 05                	syscall
* 2a:	48 3d 01 f0 ff ff    	cmp    $0xfffffffffffff001,%rax <-- trapping instruction
  30:	73 01                	jae    0x33
  32:	c3                   	ret
  33:	48 c7 c1 b0 ff ff ff 	mov    $0xffffffffffffffb0,%rcx
  3a:	f7 d8                	neg    %eax
  3c:	64 89 01             	mov    %eax,%fs:(%rcx)
  3f:	48                   	rex.W